BookStack Code Mirror - bookstack/blobdiff - app/Auth/Access/LdapService.php

-<?php namespace BookStack\Auth\Access;

+<?php

+

+namespace BookStack\Auth\Access;

-use BookStack\Auth\Access;

-use BookStack\Auth\Role;

use BookStack\Auth\User;

-use BookStack\Auth\UserRepo;

+use BookStack\Exceptions\JsonDebugException;

use BookStack\Exceptions\LdapException;

-use Illuminate\Contracts\Auth\Authenticatable;

-use Illuminate\Database\Eloquent\Builder;

+use BookStack\Uploads\UserAvatars;

+use ErrorException;

+use Illuminate\Support\Facades\Log;

/**

* Class LdapService

* Handles any app-specific LDAP tasks.

/**

* Class LdapService

* Handles any app-specific LDAP tasks.

- * @package BookStack\Services

*/

class LdapService

{

*/

class LdapService

{

+ protected Ldap $ldap;

+ protected GroupSyncService $groupSyncService;

+ protected UserAvatars $userAvatars;

- protected $ldap;

+ /**

+ * @var resource

+ */

protected $ldapConnection;

- protected $config;

- protected $userRepo;

- protected $enabled;

+

+ protected array $config;

+ protected bool $enabled;

/**

* LdapService constructor.

/**

* LdapService constructor.

- * @param Ldap $ldap

- * @param \BookStack\Auth\UserRepo $userRepo

*/

- public function __construct(Access\Ldap $ldap, UserRepo $userRepo)

+ public function __construct(Ldap $ldap, UserAvatars $userAvatars, GroupSyncService $groupSyncService)

{

$this->ldap = $ldap;

{

$this->ldap = $ldap;

+ $this->userAvatars = $userAvatars;

+ $this->groupSyncService = $groupSyncService;

$this->config = config('services.ldap');

- $this->userRepo = $userRepo;

$this->enabled = config('auth.method') === 'ldap';

}

/**

* Check if groups should be synced.

$this->enabled = config('auth.method') === 'ldap';

}

/**

* Check if groups should be synced.

- * @return bool

*/

- public function shouldSyncGroups()

+ public function shouldSyncGroups(): bool

{

return $this->enabled && $this->config['user_to_groups'] !== false;

}

/**

{

return $this->enabled && $this->config['user_to_groups'] !== false;

}

/**

- * Search for attributes for a specific user on the ldap

- * @param string $userName

- * @param array $attributes

- * @return null|array

+ * Search for attributes for a specific user on the ldap.

+ *

* @throws LdapException

*/

* @throws LdapException

*/

- private function getUserWithAttributes($userName, $attributes)

+ private function getUserWithAttributes(string $userName, array $attributes): ?array

{

$ldapConnection = $this->getConnection();

$this->bindSystemUser($ldapConnection);

{

$ldapConnection = $this->getConnection();

$this->bindSystemUser($ldapConnection);

+ // Clean attributes

+ foreach ($attributes as $index => $attribute) {

+ if (strpos($attribute, 'BIN;') === 0) {

+ $attributes[$index] = substr($attribute, strlen('BIN;'));

+ }

+

// Find user

$userFilter = $this->buildFilter($this->config['user_filter'], ['user' => $userName]);

$baseDn = $this->config['base_dn'];

// Find user

$userFilter = $this->buildFilter($this->config['user_filter'], ['user' => $userName]);

$baseDn = $this->config['base_dn'];

/**

* Get the details of a user from LDAP using the given username.

* User found via configurable user filter.

/**

* Get the details of a user from LDAP using the given username.

* User found via configurable user filter.

- * @param $userName

- * @return array|null

+ *

* @throws LdapException

*/

* @throws LdapException

*/

- public function getUserDetails($userName)

+ public function getUserDetails(string $userName): ?array

{

+ $idAttr = $this->config['id_attribute'];

$emailAttr = $this->config['email_attribute'];

$displayNameAttr = $this->config['display_name_attribute'];

$emailAttr = $this->config['email_attribute'];

$displayNameAttr = $this->config['display_name_attribute'];

+ $thumbnailAttr = $this->config['thumbnail_attribute'];

- $user = $this->getUserWithAttributes($userName, ['cn', 'uid', 'dn', $emailAttr, $displayNameAttr]);

+ $user = $this->getUserWithAttributes($userName, array_filter([

+ 'cn', 'dn', $idAttr, $emailAttr, $displayNameAttr, $thumbnailAttr,

+ ]));

- if ($user === null) {

+ if (is_null($user)) {

return null;

}

$userCn = $this->getUserResponseProperty($user, 'cn', null);

return null;

}

$userCn = $this->getUserResponseProperty($user, 'cn', null);

- return [

- 'uid' => $this->getUserResponseProperty($user, 'uid', $user['dn']),

- 'name' => $this->getUserResponseProperty($user, $displayNameAttr, $userCn),

+ $formatted = [

+ 'uid' => $this->getUserResponseProperty($user, $idAttr, $user['dn']),

+ 'name' => $this->getUserResponseProperty($user, $displayNameAttr, $userCn),

'dn' => $user['dn'],

'email' => $this->getUserResponseProperty($user, $emailAttr, null),

'dn' => $user['dn'],

'email' => $this->getUserResponseProperty($user, $emailAttr, null),

+ 'avatar'=> $thumbnailAttr ? $this->getUserResponseProperty($user, $thumbnailAttr, null) : null,

];

+

+ if ($this->config['dump_user_details']) {

+ throw new JsonDebugException([

+ 'details_from_ldap' => $user,

+ 'details_bookstack_parsed' => $formatted,

+ ]);

+ }

+

+ return $formatted;

}

/**

* Get a property from an LDAP user response fetch.

* Handles properties potentially being part of an array.

}

/**

* Get a property from an LDAP user response fetch.

* Handles properties potentially being part of an array.

- * @param array $userDetails

- * @param string $propertyKey

- * @param $defaultValue

- * @return mixed

+ * If the given key is prefixed with 'BIN;', that indicator will be stripped

+ * from the key and any fetched values will be converted from binary to hex.

*/

protected function getUserResponseProperty(array $userDetails, string $propertyKey, $defaultValue)

{

*/

protected function getUserResponseProperty(array $userDetails, string $propertyKey, $defaultValue)

{

+ $isBinary = strpos($propertyKey, 'BIN;') === 0;

+ $propertyKey = strtolower($propertyKey);

+ $value = $defaultValue;

+

+ if ($isBinary) {

+ $propertyKey = substr($propertyKey, strlen('BIN;'));

+ }

+

if (isset($userDetails[$propertyKey])) {

- return (is_array($userDetails[$propertyKey]) ? $userDetails[$propertyKey][0] : $userDetails[$propertyKey]);

+ $value = (is_array($userDetails[$propertyKey]) ? $userDetails[$propertyKey][0] : $userDetails[$propertyKey]);

+ if ($isBinary) {

+ $value = bin2hex($value);

+ }

}

- return $defaultValue;

+ return $value;

}

/**

}

/**

- * @param Authenticatable $user

- * @param string $username

- * @param string $password

- * @return bool

+ * Check if the given credentials are valid for the given user.

+ *

* @throws LdapException

*/

* @throws LdapException

*/

- public function validateUserCredentials(Authenticatable $user, $username, $password)

+ public function validateUserCredentials(?array $ldapUserDetails, string $password): bool

{

- $ldapUser = $this->getUserDetails($username);

- if ($ldapUser === null) {

- return false;

- }

-

- if ($ldapUser['uid'] !== $user->external_auth_id) {

+ if (is_null($ldapUserDetails)) {

return false;

}

$ldapConnection = $this->getConnection();

return false;

}

$ldapConnection = $this->getConnection();

+

try {

- $ldapBind = $this->ldap->bind($ldapConnection, $ldapUser['dn'], $password);

- } catch (\ErrorException $e) {

+ $ldapBind = $this->ldap->bind($ldapConnection, $ldapUserDetails['dn'], $password);

+ } catch (ErrorException $e) {

$ldapBind = false;

}

$ldapBind = false;

}

/**

* Bind the system user to the LDAP connection using the given credentials

* otherwise anonymous access is attempted.

/**

* Bind the system user to the LDAP connection using the given credentials

* otherwise anonymous access is attempted.

- * @param $connection

+ *

+ * @param resource $connection

+ *

* @throws LdapException

*/

protected function bindSystemUser($connection)

* @throws LdapException

*/

protected function bindSystemUser($connection)

/**

* Get the connection to the LDAP server.

* Creates a new connection if one does not exist.

/**

* Get the connection to the LDAP server.

* Creates a new connection if one does not exist.

- * @return resource

+ *

* @throws LdapException

+ *

+ * @return resource

*/

protected function getConnection()

{

*/

protected function getConnection()

{

throw new LdapException(trans('errors.ldap_extension_not_installed'));

}

throw new LdapException(trans('errors.ldap_extension_not_installed'));

}

- // Get port from server string and protocol if specified.

- $ldapServer = explode(':', $this->config['server']);

- $hasProtocol = preg_match('/^ldaps{0,1}\:\/\//', $this->config['server']) === 1;

- if (!$hasProtocol) {

- array_unshift($ldapServer, '');

- }

- $hostName = $ldapServer[0] . ($hasProtocol?':':'') . $ldapServer[1];

- $defaultPort = $ldapServer[0] === 'ldaps' ? 636 : 389;

-

- /*

- * Check if TLS_INSECURE is set. The handle is set to NULL due to the nature of

- * the LDAP_OPT_X_TLS_REQUIRE_CERT option. It can only be set globally and not

- * per handle.

- */

+ // Disable certificate verification.

+ // This option works globally and must be set before a connection is created.

if ($this->config['tls_insecure']) {

$this->ldap->setOption(null, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER);

}

if ($this->config['tls_insecure']) {

$this->ldap->setOption(null, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER);

}

- $ldapConnection = $this->ldap->connect($hostName, count($ldapServer) > 2 ? intval($ldapServer[2]) : $defaultPort);

+ $serverDetails = $this->parseServerString($this->config['server']);

+ $ldapConnection = $this->ldap->connect($serverDetails['host'], $serverDetails['port']);

if ($ldapConnection === false) {

throw new LdapException(trans('errors.ldap_cannot_connect'));

if ($ldapConnection === false) {

throw new LdapException(trans('errors.ldap_cannot_connect'));

$this->ldap->setVersion($ldapConnection, $this->config['version']);

}

$this->ldap->setVersion($ldapConnection, $this->config['version']);

}

+ // Start and verify TLS if it's enabled

+ if ($this->config['start_tls']) {

+ $started = $this->ldap->startTls($ldapConnection);

+ if (!$started) {

+ throw new LdapException('Could not start TLS connection');

+ }

+

$this->ldapConnection = $ldapConnection;

+

return $this->ldapConnection;

}

return $this->ldapConnection;

}

+ /**

+ * Parse a LDAP server string and return the host and port for a connection.

+ * Is flexible to formats such as 'ldap.example.com:8069' or 'ldaps://ldap.example.com'.

+ */

+ protected function parseServerString(string $serverString): array

+ {

+ $serverNameParts = explode(':', $serverString);

+

+ // If we have a protocol just return the full string since PHP will ignore a separate port.

+ if ($serverNameParts[0] === 'ldaps' || $serverNameParts[0] === 'ldap') {

+ return ['host' => $serverString, 'port' => 389];

+ }

+

+ // Otherwise, extract the port out

+ $hostName = $serverNameParts[0];

+ $ldapPort = (count($serverNameParts) > 1) ? intval($serverNameParts[1]) : 389;

+

+ return ['host' => $hostName, 'port' => $ldapPort];

+ }

+

/**

* Build a filter string by injecting common variables.

/**

* Build a filter string by injecting common variables.

- * @param string $filterString

- * @param array $attrs

- * @return string

*/

- protected function buildFilter($filterString, array $attrs)

+ protected function buildFilter(string $filterString, array $attrs): string

{

$newAttrs = [];

foreach ($attrs as $key => $attrText) {

$newKey = '${' . $key . '}';

$newAttrs[$newKey] = $this->ldap->escape($attrText);

}

{

$newAttrs = [];

foreach ($attrs as $key => $attrText) {

$newKey = '${' . $key . '}';

$newAttrs[$newKey] = $this->ldap->escape($attrText);

}

+

return strtr($filterString, $newAttrs);

}

/**

return strtr($filterString, $newAttrs);

}

/**

- * Get the groups a user is a part of on ldap

- * @param string $userName

- * @return array

+ * Get the groups a user is a part of on ldap.

+ *

* @throws LdapException

+ * @throws JsonDebugException

*/

- public function getUserGroups($userName)

+ public function getUserGroups(string $userName): array

{

$groupsAttr = $this->config['group_attribute'];

$user = $this->getUserWithAttributes($userName, [$groupsAttr]);

{

$groupsAttr = $this->config['group_attribute'];

$user = $this->getUserWithAttributes($userName, [$groupsAttr]);

}

$userGroups = $this->groupFilter($user);

}

$userGroups = $this->groupFilter($user);

- $userGroups = $this->getGroupsRecursive($userGroups, []);

- return $userGroups;

+ $allGroups = $this->getGroupsRecursive($userGroups, []);

+

+ if ($this->config['dump_user_groups']) {

+ throw new JsonDebugException([

+ 'details_from_ldap' => $user,

+ 'parsed_direct_user_groups' => $userGroups,

+ 'parsed_recursive_user_groups' => $allGroups,

+ ]);

+ }

+

+ return $allGroups;

}

/**

}

/**

- * Get the parent groups of an array of groups

- * @param array $groupsArray

- * @param array $checked

- * @return array

+ * Get the parent groups of an array of groups.

+ *

* @throws LdapException

*/

* @throws LdapException

*/

- private function getGroupsRecursive($groupsArray, $checked)

+ private function getGroupsRecursive(array $groupsArray, array $checked): array

{

- $groups_to_add = [];

+ $groupsToAdd = [];

foreach ($groupsArray as $groupName) {

if (in_array($groupName, $checked)) {

continue;

}

foreach ($groupsArray as $groupName) {

if (in_array($groupName, $checked)) {

continue;

}

- $groupsToAdd = $this->getGroupGroups($groupName);

- $groups_to_add = array_merge($groups_to_add, $groupsToAdd);

+ $parentGroups = $this->getGroupGroups($groupName);

+ $groupsToAdd = array_merge($groupsToAdd, $parentGroups);

$checked[] = $groupName;

}

$checked[] = $groupName;

}

- $groupsArray = array_unique(array_merge($groupsArray, $groups_to_add), SORT_REGULAR);

- if (!empty($groups_to_add)) {

- return $this->getGroupsRecursive($groupsArray, $checked);

- } else {

+ $groupsArray = array_unique(array_merge($groupsArray, $groupsToAdd), SORT_REGULAR);

+

+ if (empty($groupsToAdd)) {

return $groupsArray;

}

return $groupsArray;

}

+

+ return $this->getGroupsRecursive($groupsArray, $checked);

}

/**

}

/**

- * Get the parent groups of a single group

- * @param string $groupName

- * @return array

+ * Get the parent groups of a single group.

+ *

* @throws LdapException

*/

* @throws LdapException

*/

- private function getGroupGroups($groupName)

+ private function getGroupGroups(string $groupName): array

{

$ldapConnection = $this->getConnection();

$this->bindSystemUser($ldapConnection);

{

$ldapConnection = $this->getConnection();

$this->bindSystemUser($ldapConnection);

return [];

}

return [];

}

- $groupGroups = $this->groupFilter($groups[0]);

- return $groupGroups;

+ return $this->groupFilter($groups[0]);

}

/**

}

/**

- * Filter out LDAP CN and DN language in a ldap search return

- * Gets the base CN (common name) of the string

- * @param array $userGroupSearchResponse

- * @return array

+ * Filter out LDAP CN and DN language in a ldap search return.

+ * Gets the base CN (common name) of the string.

*/

- protected function groupFilter(array $userGroupSearchResponse)

+ protected function groupFilter(array $userGroupSearchResponse): array

{

$groupsAttr = strtolower($this->config['group_attribute']);

$ldapGroups = [];

{

$groupsAttr = strtolower($this->config['group_attribute']);

$ldapGroups = [];

$count = (int) $userGroupSearchResponse[$groupsAttr]['count'];

}

$count = (int) $userGroupSearchResponse[$groupsAttr]['count'];

}

- for ($i=0; $i<$count; $i++) {

+ for ($i = 0; $i < $count; $i++) {

$dnComponents = $this->ldap->explodeDn($userGroupSearchResponse[$groupsAttr][$i], 1);

if (!in_array($dnComponents[0], $ldapGroups)) {

$ldapGroups[] = $dnComponents[0];

$dnComponents = $this->ldap->explodeDn($userGroupSearchResponse[$groupsAttr][$i], 1);

if (!in_array($dnComponents[0], $ldapGroups)) {

$ldapGroups[] = $dnComponents[0];

}

/**

}

/**

- * Sync the LDAP groups to the user roles for the current user

- * @param \BookStack\Auth\User $user

- * @param string $username

+ * Sync the LDAP groups to the user roles for the current user.

+ *

* @throws LdapException

+ * @throws JsonDebugException

*/

public function syncGroups(User $user, string $username)

{

$userLdapGroups = $this->getUserGroups($username);

*/

public function syncGroups(User $user, string $username)

{

$userLdapGroups = $this->getUserGroups($username);

-

- // Get the ids for the roles from the names

- $ldapGroupsAsRoles = $this->matchLdapGroupsToSystemsRoles($userLdapGroups);

-

- // Sync groups

- if ($this->config['remove_from_groups']) {

- $user->roles()->sync($ldapGroupsAsRoles);

- $this->userRepo->attachDefaultRole($user);

- } else {

- $user->roles()->syncWithoutDetaching($ldapGroupsAsRoles);

- }

+ $this->groupSyncService->syncUserWithFoundGroups($user, $userLdapGroups, $this->config['remove_from_groups']);

}

/**

}

/**

- * Match an array of group names from LDAP to BookStack system roles.

- * Formats LDAP group names to be lower-case and hyphenated.

- * @param array $groupNames

- * @return \Illuminate\Support\Collection

+ * Save and attach an avatar image, if found in the ldap details, and attach

+ * to the given user model.

*/

- protected function matchLdapGroupsToSystemsRoles(array $groupNames)

+ public function saveAndAttachAvatar(User $user, array $ldapUserDetails): void

{

- foreach ($groupNames as $i => $groupName) {

- $groupNames[$i] = str_replace(' ', '-', trim(strtolower($groupName)));

+ if (is_null(config('services.ldap.thumbnail_attribute')) || is_null($ldapUserDetails['avatar'])) {

+ return;

}

- $roles = Role::query()->where(function (Builder $query) use ($groupNames) {

- $query->whereIn('name', $groupNames);

- foreach ($groupNames as $groupName) {

- $query->orWhere('external_auth_id', 'LIKE', '%' . $groupName . '%');

- }

- })->get();

-

- $matchedRoles = $roles->filter(function (Role $role) use ($groupNames) {

- return $this->roleMatchesGroupNames($role, $groupNames);

- });

-

- return $matchedRoles->pluck('id');

- }

-

- /**

- * Check a role against an array of group names to see if it matches.

- * Checked against role 'external_auth_id' if set otherwise the name of the role.

- * @param \BookStack\Auth\Role $role

- * @param array $groupNames

- * @return bool

- */

- protected function roleMatchesGroupNames(Role $role, array $groupNames)

- {

- if ($role->external_auth_id) {

- $externalAuthIds = explode(',', strtolower($role->external_auth_id));

- foreach ($externalAuthIds as $externalAuthId) {

- if (in_array(trim($externalAuthId), $groupNames)) {

- return true;

- }

- return false;

+ try {

+ $imageData = $ldapUserDetails['avatar'];

+ $this->userAvatars->assignToUserFromExistingData($user, $imageData, 'jpg');

+ } catch (\Exception $exception) {

+ Log::info("Failed to use avatar image from LDAP data for user id {$user->id}");

}

-

- $roleName = str_replace(' ', '-', trim(strtolower($role->display_name)));

- return in_array($roleName, $groupNames);

}